Here's a window, during which User2 is able to create a hardlink and
that will remain unnoticed by User1. There's no way to perform link
check and conditionally do chmod in an atomic manner.

0700 on directory prevents hardlink creation, see?

Do you still remember about openat()? If the directory was created with 0700
mode from the origin, you would be right, and procfs wouldn't allow opening
files in that directory too, but if you let others to traverse that directory
and open your believed to be secure files from the origin, it's your fault.